Pierre Jourdan

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7 Description: A Directory Traversal issue exists, allowing malicious users to rename any file on the system. This is achieved via the `folder`, `filename`, and `newfilename` variables in the appeditfilerename.php file. Recommendations: For FusionPBX version 4.5.7, consider restricting access to the appeditfilerename.php file until a patch is available. As a temporary workaround, avoid using the `folder`, `filename`, and `newfilename` variables in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7 Description: A Directory Traversal issue exists, allowing a remote malicious user to create folders via the `folder` variable to "appeditfoldernew.php". Recommendations: For FusionPBX version 4.5.7, consider restricting access to the "appeditfoldernew.php" endpoint until a patch is available. As a temporary workaround, avoid using the `folder` variable in the affected endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7 Description: A Directory Traversal issue allows a remote malicious user to delete folders on the system. This is achieved by exploiting the `folder` variable in the "/app/edit/folderdelete.php" endpoint. Recommendations: For FusionPBX version 4.5.7, consider restricting access to the "/app/edit/folderdelete.php" endpoint until a patch is available. As a temporary workaround, avoid using the `folder` variable in this endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7 Description: A Cross Site Scripting (XSS) issue exists, allowing remote malicious users to inject arbitrary web script or HTML via an unsanitized `query string` variable in the appdevicesdevice imports.php file. Recommendations: For FusionPBX version 4.5.7, update the software to a version that sanitizes the `query string` variable, or as a temporary workaround, consider restricting access to the device imports.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FusionPBX version 4.5.7 Description: A Cross Site Scripting (XSS) issue allows remote malicious users to inject arbitrary web script or HTML via an unsanitized `f` variable in the appvarsvars textarea.php file. This enables attackers to execute malicious scripts on the victim's browser. Recommendations: For FusionPBX version 4.5.7, as a temporary workaround, consider sanitizing the `f` variable in the appvarsvars textarea.php file to prevent XSS attacks. Restrict access to the vars textarea.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions up to 4.5.7 **Description** The issue concerns the use of an unsanitized `query string` variable in the file appdestinationsdestination imports.php, which is reflected in HTML and leads to a cross-site scripting (XSS) issue. **Recommendations** For FusionPBX versions up to 4.5.7, as a temporary workaround, consider sanitizing the `query string` variable in the destination imports.php file to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `query string` variable in the file appextensionsextension imports.php, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the webpage. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the extension imports.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `id` variable in the `contact notes.php` file, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, where an attacker can inject malicious code into the HTML of the page. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `contact notes.php` file or sanitizing the `id` variable to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions up to 4.5.7 **Description** The issue concerns the use of an unsanitized `query string` variable in the file `appcontactscontact edit.php`, which is reflected in HTML and leads to a cross-site scripting (XSS) issue. This occurs when the variable comes from the URL. **Recommendations** For FusionPBX versions up to 4.5.7, as a temporary workaround, consider sanitizing the `query string` variable in the `contact edit.php` file to prevent XSS attacks. Restrict access to the `contact edit.php` file until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions up to 4.5.7 **Description** The issue arises from the file appcontactscontact addresses.php using an unsanitized `id` variable from the URL, which is then reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the webpage. **Recommendations** For FusionPBX versions up to 4.5.7, consider updating to a version that sanitizes the `id` variable to prevent XSS attacks. As a temporary workaround, restrict access to the contact addresses.php file to minimize the risk of exploitation. Avoid using the `id` variable in the affected URL until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions up to 4.5.7 **Description** The issue concerns the use of an unsanitized `contact uuid` variable in the file appmessagesmessages thread.php, which is reflected in HTML on three occasions, leading to a cross-site scripting (XSS) issue. This allows for the execution of malicious scripts in the context of the affected application. **Recommendations** For FusionPBX versions up to 4.5.7, update to a version that sanitizes the `contact uuid` variable to prevent XSS attacks. As a temporary workaround, consider restricting access to the messages thread.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `id` variable from the URL in the file appconference profilesconference profile params.php. This variable is reflected in HTML on two occasions, leading to a potential XSS issue. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing the `id` variable to prevent XSS attacks. Restrict access to the conference profile params.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `id` variable in the file appaccess controlsaccess control nodes.php, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the webpage. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing the `id` variable to prevent XSS attacks. Restrict access to the access control nodes.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns an XSS vulnerability in the paging function of the resourcespaging.php file. This function is called by several pages of the interface and uses an unsanitized `param` variable, which is partially constructed from URL arguments and reflected in HTML. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the resourcespaging.php file to minimize the risk of exploitation. Avoid using the `param` variable in the affected pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns an unsanitized `filename` variable in the `recording play.php` file, which is base64 decoded and reflected in HTML. This leads to a potential XSS issue. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `recording play.php` file to minimize the risk of exploitation. Avoid using the `filename` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `rec` variable in the `xml cdr delete.php` file, which allows for the deletion of any system file. This is achieved through a base64 decoded variable coming from the URL. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `xml cdr delete.php` file to minimize the risk of exploitation. Avoid using the `rec` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue in FusionPBX allows unauthorized access to download files due to an unsanitized variable `f` coming from the URL in the file resourcesdownload.php. This enables an attacker to download any file by providing its pathname. The resourcessecure download.php file is also affected. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the resourcesdownload.php and resourcessecure download.php files until a patch is applied. Avoid using the `f` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `query string` variable in the `contact import.php` file, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the application. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `contact import.php` file to minimize the risk of exploitation. Avoid using the `query string` variable in the affected URL until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized `eavesdrop dest` variable in the content.php file, which is reflected in HTML and leads to a cross-site scripting (XSS) issue. This allows for potential malicious script execution. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the content.php file in the basic operator panel resources to minimize the risk of exploitation. Avoid using the `eavesdrop dest` variable in URLs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FusionPBX versions prior to 4.5.8 **Description** The issue concerns the use of an unsanitized variable `c` from the URL in the file appconferences activeconference interactive.php, which is reflected in HTML. This leads to a cross-site scripting (XSS) issue, allowing potential attackers to inject malicious scripts into the website. **Recommendations** For FusionPBX versions prior to 4.5.8, update to version 4.5.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the conference interactive.php file until a patch is applied. Avoid using the `c` variable in the affected URL until the issue is resolved.